Stephane, Patrik, >> Stephane Bortzmeyer <[email protected]> wrote >> a message of 126 lines which said: >> >>> % dig SOA pr. >>> >>> ; <<>> DiG 9.5.1-P3 <<>> SOA pr. >>> ;; global options: printcmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 940 >> >> It works now. The DLV registry at ISC updated the key. Apparently, the >> .PR people rolled over with a very short notice and anyone using DLV >> or manual tracking of keys will have experienced the problem. >> >> Lesson learned: activating DNSSEC validation today is only for >> playing and should not be done in a production environment. > > .SE has been in production mode for the last 2.5 years. It has been working > very well in Sweden with all the major resolver operators performing DNSSEC > validaion. I would rather say that DLV is not ready for use in a production > environment.
I would rather say that .PR is at fault here. I have discovered that .PR key has changed only from my automated ITAR update script. At first they had removed .PR key from ITAR and after that they had added new key - it didn't look like regular well planned rollover. Or had anybody seen some announcement? When .SE had changed their key, I got announcement from several places and it was well planned and everybody could prepare before rollover was done. Also if .PR knew that their key is in DLV registry, that should exchange their key in DLV as well. Ondrej -- Ondřej Surý <[email protected]> http://blog.rfc1925.org/ _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
